PDFATTACK.PDF

PDF ATTACK A Journey from the Exploit Kit to the Shellcode Jose Miguel Esparza @EternalTodo Who am I • Jose Miguel Esparza • Senior Cybercrime Analyst at Fox-IT InTELL – Malware, Botnets, CCs, Exploit Kits, … • Security Researcher at Home ;p – PDF, NFC, … • • @EternalTodo on Twitter Agenda • A Journey from the Exploit Kit to the Shellcode – Exploit Kits: the source of evil – PDF basics –Some basic peepdf commands –Analyzing PDF exploits • Extracting and analyzing shellcodes –Obfuscation of PDF files Requirements • Linux distribution – Libemu / Pylibemu –V8 / PyV8 • Last peepdf version –Checkout from the repository or update! Exploit Kits: the source of evil • Best way to infect a computer • Effective and fresh exploits – IE –Java – PDF – Flash –… • Average of 6-7 exploits Exploit Kits: the source of evil Exploit Kits: the source of evil Java 7u11 Java Byte Verify Java CMM Java 7u17 Exploit Kits: the source of evil • Most used nowadays – Magnitude (TopExp) – Neutrino – Infinity (Goon/RedKit v2) – Ramayana (DotkaChef) – Fiesta –Styx – Nuclear –… KahuSecurity Exploit Kits: the source of evil • Infection steps –Visit injected website / Click SPAM link – Redirection (maybe more than one) –Obfuscated Javascript – Plugin detection –Trying exploits – Done! Exploit Kits: the source of evil • Traffic Distribution Systems (TDS) –Country specific attacks –TDS +